1 00:00:07,760 --> 00:00:10,250 - Reconnaissance is always the initial step 2 00:00:10,250 --> 00:00:12,080 in a cyberattack. 3 00:00:12,080 --> 00:00:15,170 An attacker definitely need to gather information 4 00:00:15,170 --> 00:00:17,770 about its target to be, actually, successful. 5 00:00:17,770 --> 00:00:19,660 When it comes to reconnaissance, 6 00:00:19,660 --> 00:00:22,200 and basically in a penetration-testing engagement, 7 00:00:22,200 --> 00:00:26,640 we usually think of scanning and enumeration. 8 00:00:26,640 --> 00:00:30,290 But what does a reconnaissance actually looks like 9 00:00:30,290 --> 00:00:31,920 from an attacker perspective? 10 00:00:31,920 --> 00:00:33,700 It's a little bit different. 11 00:00:33,700 --> 00:00:37,080 Let's suppose that we are actually performing a pen-testing 12 00:00:37,080 --> 00:00:41,430 for an organization that owns the domain h4cker.org. 13 00:00:41,430 --> 00:00:43,470 And, of course, you know, h4cker.org is actually 14 00:00:43,470 --> 00:00:47,540 an internet website, so it has an internet presence 15 00:00:47,540 --> 00:00:50,050 as most companies actually do. 16 00:00:50,050 --> 00:00:53,360 Now, this presence is actually a website hosted 17 00:00:53,360 --> 00:00:56,730 somewhere on-premise or in the cloud. 18 00:00:56,730 --> 00:00:59,910 Also, the company may actually have several other systems 19 00:00:59,910 --> 00:01:02,890 in different subdomains and in different networks. 20 00:01:02,890 --> 00:01:05,380 A cyber-attacker needs to determine 21 00:01:05,380 --> 00:01:07,300 everything that is exposed, 22 00:01:07,300 --> 00:01:09,640 and typically he or she will create 23 00:01:09,640 --> 00:01:12,600 a threat model of its victim. 24 00:01:12,600 --> 00:01:15,320 They need to understand what systems, what ports, 25 00:01:15,320 --> 00:01:18,410 what protocols are actually exposed to the Internet. 26 00:01:18,410 --> 00:01:20,840 Now, also, what key individuals 27 00:01:20,840 --> 00:01:23,470 he or she can target with in the organization 28 00:01:23,470 --> 00:01:25,980 to carry social engineering attacks, spear-phishing, 29 00:01:25,980 --> 00:01:27,730 and many other attacks. 30 00:01:27,730 --> 00:01:31,520 Now, there are two ways that you can perform reconnaissance, 31 00:01:31,520 --> 00:01:34,920 both active and passive. 32 00:01:34,920 --> 00:01:36,220 Active reconnaissance is actually 33 00:01:36,220 --> 00:01:38,520 whenever you launch tools and packets 34 00:01:38,520 --> 00:01:42,460 against organizations, its systems, networks, 35 00:01:42,460 --> 00:01:46,110 to enumerate and discover many different vulnerabilities 36 00:01:46,110 --> 00:01:48,600 and anything else that is exposed. 37 00:01:48,600 --> 00:01:51,330 Now, passive reconnaissance is actually the opposite. 38 00:01:51,330 --> 00:01:53,220 You are not actively performing a scan 39 00:01:53,220 --> 00:01:57,210 or launching any tools or packets against the victim. 40 00:01:57,210 --> 00:01:59,050 This is actually done by leveraging 41 00:01:59,050 --> 00:02:03,830 Open Source Intelligence, or OSINT, and public records. 42 00:02:03,830 --> 00:02:05,710 Now, there are examples of different sources 43 00:02:05,710 --> 00:02:06,543 that you can actually, you know, 44 00:02:06,543 --> 00:02:08,850 use to perform passive reconnaissance. 45 00:02:08,850 --> 00:02:10,970 One of them is actually the Google Hacking Database, 46 00:02:10,970 --> 00:02:15,100 DNS records, Shodan, Whois information, 47 00:02:15,100 --> 00:02:19,830 tools like Recon-ng, Maltego, Spiderfoot and many others. 48 00:02:19,830 --> 00:02:22,790 I have a very comprehensive list of passive 49 00:02:22,790 --> 00:02:24,860 and active reconnaissance tools 50 00:02:24,860 --> 00:02:27,660 at the GitHub repository for this course. 51 00:02:27,660 --> 00:02:30,470 Now, in the next lesson, we'll actually go over 52 00:02:30,470 --> 00:02:32,623 many of these tools and resources.